Cross-Site Scripting Vulnerability in Telerik Reporting for ASP.NET WebForms
CVE-2017-9140

6.1MEDIUM

Key Information:

Vendor

Progress

Status
Telerik Reporting
Vendor
CVE Published:
22 May 2017

What is CVE-2017-9140?

A cross-site scripting (XSS) vulnerability exists in the Telerik.ReportViewer.WebForms.dll component of Telerik Reporting for ASP.NET WebForms. This flaw allows remote attackers to inject arbitrary web script or HTML through the bgColor parameter in the Telerik.ReportViewer.axd endpoint. If successfully exploited, this can lead to unauthorized actions executed on behalf of users or data theft. Users are encouraged to update their versions to the latest release, R1 2017 SP2 (11.0.17.406) or higher, to mitigate the risk associated with this vulnerability.

References

http://www.telerik.com/support/whats-new/reporting/releas...
x_refsource_CONFIRM
https://knowledgebase.progress.com/articles/Article/Secur...
x_refsource_CONFIRM
https://www.veracode.com/blog/research/anatomy-cross-site...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.